Bug 1817505 - Allowing specific cipher will remove all enabled ciphers if 'default ciphers' is clicked
Summary: Allowing specific cipher will remove all enabled ciphers if 'default ciphers'...
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: 389-ds-base
Version: 11.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: DS11.3
: dirsrv-11.8
Assignee: Simon Pichugin
QA Contact: LDAP QA Team
Evgenia Martynyuk
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-26 13:08 UTC by sgouvern
Modified: 2023-03-01 16:36 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.The `default` keyword for enabled ciphers in the NSS does not work in conjunction with other ciphers In Directory Server you can use the `default` keyword to refer to the default ciphers enabled in the network security services (NSS). However, if you want to enable the default ciphers and additional ones using the command line or web console, Directory Server fails to resolve the `default` keyword. As a consequence, the server enables only the additionally specified ciphers and logs an error similar to the following: ---- Security Initialization - SSL alert: Failed to set SSL cipher preference information: invalid ciphers <default,+cipher_name>: format is +cipher1,-cipher2... (Netscape Portable Runtime error 0 - no error) ---- As a workaround, specify all ciphers that are enabled by default in NSS including the ones you want to additionally enable.
Clone Of:
Last Closed: 2023-03-01 16:36:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description sgouvern 2020-03-26 13:08:46 UTC
Description of problem:
On 'Server Settings'/'Security'/'Cipher preferences' tab, allowing a specific cipher will remove all enabled cipher, if 'default ciphers' is selected after that.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Go to 'Server Settings'/'Security'/'Cipher preferences'
2. Select a cipher in 'allow specific ciphers' list
3. click 'Default ciphers'
3. 'Save cipher preferences' 
4. restart the instance
5. Come back to 'Server Settings'/'Security'/'Cipher preferences'

Actual results:
The 'Enabled ciphers' list is empty

Expected results:
Enabled ciphers are default ones plus added allowed specific cipher

Additional info: 
A search of the list of enabled ciphers with dsconf will show : 'List of ciphers is empty'

Comment 1 mreynolds 2020-03-30 14:17:45 UTC
This isn't a problem with the UI or CLI, itis what is reported by NSS.  Moving to different component to investigate as the root cause is not the UI

Comment 6 sgouvern 2021-05-07 07:58:44 UTC
Moving to ITM 14 as it is not yet started

Note You need to log in before you can comment on or make changes to this bug.